For nearly everyone, the digital age has marked the end of absolute privacy, unless you’ve somehow managed to stay off the grid by never owning or using a credit card, cell phone or computer. Knowledge of our lack of privacy hits us between the eyes, figuratively and literally, when we’re on Facebook or Instagram and we’re served an ad from a local sushi restaurant—after we had just searched online for sushi restaurant options ten minutes earlier.
We know we’re being followed by marketers, and one of the ways it’s done is by marketing pixels, a.k.a. tracking pixels, which are snippets of code that allow marketers to gather information about visitors on a website, including their browsing history and what types of ads they click on. With this “behavior data,” a marketer can then send users a paid ad that’s likely to interest them.
When it comes to using tracking pixels, Facebook—or Meta—has mastered the craft. The Meta pixel is “one of the most prolific tracking tools on the internet—present on more than 30 percent of the most popular sites on the web,” according to The Markup, a nonprofit newsroom that monitors and investigates powerful institutions in their use of technology. (Their slogan: Big Tech is watching you. We’re watching Big Tech.)
What does a marketer receive in exchange for installing the Meta pixel on its website? Analytics about the ads they’ve placed on Facebook as well as tools to target people who’ve visited the website. The Meta pixel sends information to Facebook via scripts running in a person’s internet browser. Each data packet comes labeled with an IP address that, combined with other data, can identify a person or household.
The HIPAA dilemma
If you’re in healthcare, incorporating Meta pixels into your marketing plan can potentially be a violation of federal law. Signed into law in 1996, the U.S. Health Insurance Portability and Accountability Act (HIPAA) is a series of federal regulatory standards outlining the lawful use and disclosure of protected health information in the United States. HIPAA requires companies that deal with protected health information to have physical, network, and process security measures in place and follow them.
IP addresses, however, are among the identifiers listed by HIPAA as “protected health information.” In short, the law prohibits entities such as hospitals from sharing personally identifiable health information with third parties like Facebook, except when an individual has expressly consented in advance or under certain contracts.
When it comes to healthcare data, Meta insists that it has tools to filter out sensitive data and prevent it from being ingested into ad rankings and optimizations. On its website, Meta lists the following categories of health-related data about individuals that is considered sensitive:
• Diseases, medical conditions, and injuries
• Sexual and reproductive health
• Mental health and psychological states
• Types of medical devices and health trackers
• Medical procedures/treatments/testing
• Medications/supplements (OTC and prescription)
• Body specifications, bodily activities and biological cycles
• Physical locations that identify a health condition, or places of treatment/counseling
Meta states that if its filtering systems detect that a business is sending potentially sensitive health data from its app or website through its use of Meta Business Tools, that data will be removed. But these safeguards are not perfect, which can result—and has resulted—in sensitive information getting out and being used to retarget users. In fact, a report by The Markup revealed a leaked 2021 document that quoted a Facebook engineer as saying that “[we] do not have an adequate level of control . . . over how our systems use data, and thus we can’t confidently make controlled policy changes or external commitments such as ‘we will not use X data for Y purpose.’”
So, if you’re a healthcare marketer, how can you be sure you’re maintaining HIPAA compliance when advertising on Meta? One of the best solutions is to pixel only your landing pages, and make sure pixels are not on any appointment scheduling forms or patient portals.
It could be argued that pixeling a specific web page (e.g., a page with information about diabetes) is not technically a HIPAA violation, because many people research medical issues on behalf of friends or loved ones. But because tracking pixels can’t determine motives, it’s probably best to restrict pixeling to generic landing pages.
Are you a healthcare marketer worried about HIPAA compliance in the digital era?
Don’t hesitate to chat with us now.